A recent PeopleSoft Spotlight Series video took a closer look at PeopleSoft security and how you and your team can work together to build out a strongly protected application. The video covered:

• Security considerations for the CEO
• How to prevent PeopleSoft from becoming collateral damage
• Elements of a security infrastructure
• 10 questions for your IT security staff

Security Considerations for the CEO

IT security is not a concern for just the IT department. It has a much broader scope in terms of responsibility and consideration. All security is based on people, processes, and technology, and the biggest risk to an organization is often the behavior of the people inside it. How do you encourage and build an environment that leverages strong company-wide employee education on top of effective technology leadership within IT?

Security is an enterprise-wide responsibility, and it has to be top-of-mind in the corporate hierarchy. It is the responsibility of the CEO to make sure that is the case.

The consequences of the loss of security don’t have to be discussed at a technical level in the boardroom, but they should be a topic. Some security considerations that CEOs should keep in mind include:

• The effect on your brand
• Loss of consumer (or user) confidence in your ability to protect data
• Diminished value (share price) of the organization

Data loss has a real effect on the bottom line through the loss of business and reparation expenses.

Another consideration to keep in mind is that no all hackers are blackhats. It could be a criminal organization, “hacktivist,” whistleblower, or from deliberate or inadvertent insider abuse.

Vulnerabilities keep changing, and each new technology opens new attack factors. Regardless of a company’s size, it is likely that you have already been attacked, even if you don’t realize it. In addition to viruses, malware, and malicious software, it’s also important to consider the risks imposed by the use of smartphones, tablets, and cloud computing.

Due to government and industry mandates, there is a significant drive towards compliance and compliance certification. However, it’s important to remember that compliance does not equal security. Compliance certification is a point in time. Typically, certification is engaged for a project, possibly on an annual basis. On the other hand, security is an ongoing effort.

It’s easy to believe that security gets in the way of productivity, and there will always be that balance. Smartphones and tablets have forever changed the way that we work, but how can you be sure that these efficiency-boosting tools aren’t introducing additional security risks and/or leaving with data that they shouldn’t?

How to Prevent PeopleSoft from Becoming Collateral Damage

Some ways that you can improve your organization’s security include:

• Collaboration
• Enterprise security virtual teams
• Enterprise-wide, tested, and updated security processes
• System health dashboard
• Weighted organization-specific CPU advisory analysis
• Phishing awareness and protection

Elements of a Security Infrastructure

The image below shows a high-level overview of where most of the threats are likely to occur.

Some issues and potential mitigation for each of these areas include:

10 Questions for Your IT Security Staff

Some important questions (and follow up questions) for your IT security staff include:

1. How often do you implement CPU PeopleSoft and PeopleTools fixes (including the tech stack)? Do you have someone responsible for reviewing the CPU notifications that are released every three months?
2. Are you implementing SHA-256 certificates? Have you started? Are you planning for SHA-256 certificates?
3. Are you using any form of limiting data display of sensitive information? (i.e. either a custom or a partner/third-party solution)
4. Are you scrambling/de-identifying data in non-production copies of the database? (i.e. Oracle Data Masking or a custom or partner/third-party solution)
5. Do you have a single sign-on (access management) solution in place with PeopleSoft?
6. Do you have a federated identity solution in place with PeopleSoft?
7. Do you have a mobile device/mobile application management solution in place with PeopleSoft?
8. Are you using any form of ERP/WAP firewall with PeopleSoft?
9. If you have F5/BigIP, are you using iRules for any management of PeopleSoft traffic?
10. Have you implemented the following process topics? Do you have a security policy in place? Do you have a breach notification policy in place? Do you have a breach management policy in place? Do you have any log analysis solution in place that includes the PeopleSoft stack?

To take a closer look at PeopleSoft security, check out the video and additional resources attached below.

Additional Resources

COLLABORATE 20 will take place April 19-23, 2020 at the Mandalay Bay Resort and Casino in Las Vegas, Nevada! Don’t miss this chance to share inspiration, insights, and solutions with your peers, vendors, and the Oracle team! Register before March 6, 2020, to take advantage of Early Bird pricing.

If you’re looking for more PeopleSoft content, join us next year at RECONNECT 20, the premier deep-dive PeopleSoft focused event of the year! The event will take place July 21-23, 2020 in St. Louis, Missouri. Keep an eye out for more information on this event!